Analyst finds flaws in Canon image verification system

A cryptographic system used by Canon to ensure that digital images haven't been altered is flawed and can't be fixed, according to a Russian security company that specializes in encryption.

Mid- to high-end Canon digital cameras have a feature called "Original Decision Data" (ODD), which is a digital signature that can be verified to see if a photo has been retouched or if data such as timestamps or GPS coordinates have been changed. The Associated Press news wire uses the system, which can also be used to verify photos used as evidence.

But the digital signature can be forged due to design flaws in Canon's system, according to Dmitry Sklyarov, an IT security analyst with Elcomsoft, which specializes in password recover systems. Sklyarov was due to give a presentation on the flaws at the Confidence IT security event in Prague on Tuesday afternoon.

Elcomsoft has published photos -- including one with an astronaut planting the flag of the Soviet Union on the moon -- that, if checked using a smart card and special software from Canon, confirm that the photo has not been tampered with.

Elcomsoft shared a copy of Sklyarov's presentation, which hasn't been released publicly, with IDG News Service. In it, he describes how one component, the Hash-based Message Authentication Code (HMAC), which is used to calculate the ODD, can be extracted from the memory of several different Canon camera models.

In Canon's second version of its ODD system, the HMAC code is 256 bits. The code is the same for all cameras of the same model. Knowing the HMAC code for one particular model allows the ODD to be forged for any camera within that model range, Sklyarov wrote.

The problem is that the HMAC sits in the camera's RAM in a de-obfuscated form and can be extracted, according to Sklyarov. It is also possible to extract the HMAC from the camera's Flash ROM and manually de-obfuscate it. Canon also released a third version of ODD, which Sklyarov was also able to break and forge the ODD. Elcomsoft has written a program that can analyze a camera's processor and firmware.

The problem is a design flaw and can't be fixed, according to Elcomsoft. Sklyarov said he was able to extract the HMAC keys for the following models: EOS 20D, EOS 5D, EOS 30D, EOS 40D, EOS 450D, EOS 1000D, EOS 50D, EOS 5D Mark II, EOS 500D and EOS 7D.

With future models, Sklyarov wrote that Canon could implement an HMAC calculation in a cryptoprocessor that does not expose it. Also, Canon should prevent its cameras from running non-Canon code to avoid the use of software tools by an attacker.

Elcomsoft made several attempts about three months ago to notify Canon of the problem with no response, said Katerina Korolkova, an Elcomsoft spokeswoman. A senior manager in Canon's technical department finally acknowledged receipt of the issue.

"We have provided them all of our technical findings," she said.

Elcomsoft told Canon it planned to release details of the problem, and the company has also notified the U.S. Computer Emergency Response Team, Korolkova said. Elcomsoft plans to release Sklyarov's full presentation on its website in about two weeks.

The design flaws could allow defense attorneys to challenge photographic evidence as details of the flaws are revealed and possibly applied.

"If defense teams raise concerns about the veracity of images or of any evidence, then the court would hear legal argument on the issue and make their decision," according to a spokeswoman for the U.K.'s Crown Prosecution Service.

Canon officials were not immediately available for comment on Tuesday.